speckit-plan-zh
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [INDIRECT_PROMPT_INJECTION] (LOW): The skill processes untrusted user data from specification files which can influence agent behavior in downstream steps.
- Ingestion points: The skill reads
spec.mdfiles (viaexecute-workflow.ps1andsetup-plan.ps1) provided by the user. - Boundary markers: There are no explicit delimiters or 'ignore embedded instructions' markers used when the content of the specification is interpolated into the planning documents or the agent context.
- Capability inventory: The skill can execute local PowerShell/Bash scripts, create directories, and write to various markdown and YAML files across the repository.
- Sanitization: While branch names are sanitized using alphanumeric filtering in
create-new-feature.ps1/sh, the text content from the specification files is not sanitized before being written to files likeresearch.mdorclaude-context.md. - [COMMAND_EXECUTION] (SAFE): The skill performs local command execution (git, mkdir, cp). Commands that incorporate user input (specifically branch name generation) utilize strict alphanumeric filtering to prevent shell injection or metacharacter exploitation.
- [DATA_EXFILTRATION] (SAFE): No network-reaching operations were identified. The scripts use local filesystem operations and git commands within the current repository context.
- [REMOTE_CODE_EXECUTION] (SAFE): No patterns of downloading and executing remote scripts (e.g., piped curl to bash) were found. All executable logic resides within the skill's local script files.
Audit Metadata